Today's computer antivirus industry is faced with constantly-evolving opposition from producers of computer viruses and other such malware. New malware is developed to circumvent protection methods, techniques and systems for detection of malicious programs or hacking activity. Moreover, the protection mechanisms are themselves attacked in order to impede or block their protective functionality.
A “Man in the middle” attack (often abbreviated MITM, MitM, MIM, MiM, sometimes referred to as a bucket brigade attack, or a Janus attack) is a cryptography term describing a situation where the attacker is able to read and arbitrarily modify messages exchanged by communicating parties, and where none of the parties can suspect the offender's presence in the communication channel. See, for example, http://en.wikipedia.org/w/index.php?title=Man-in-the-middle_attack&oldid=518960767, the disclosure of which is incorporated by reference herein.
There are other examples of attacks on computing network resources, such as attacks on the domain name server (DNS) cache. Usually, on a network, a computer uses a DNS server provided by the company or by an Internet service provider (ISP). DNS servers are often installed on corporate networks in order to speed up the transfer of names by caching previously-received responses to requests. An attack on the cache of a DNS server can affect the work of the users of this server, or even the work of the users of other servers linked to the DNS server whose cache is rewritten as a result of a successful attack by an offender.
To perform an attack, the offender uses a vulnerability in the DNS software. If the first DNS server does not check the responses of the second DNS server for correctness in order to make sure the source is trusted (for example, using Domain Name System Security Extensions—DNSSEC), the offender can act as the second DNS server. In this situation, the first DNS server will cache incorrect responses from the offender's DNS server. The first DNS server will locally cache falsified responses and use them to respond to user requests; the users, in turn, will receive falsified responses and IP addresses.
Such attacks can be used to redirect users to a website or to a fake mail service of the attacker's choice. The pages of such websites can contain, for example, network worms or viruses, while a fake mail service can receive mailbox logins and passwords from users and send this account information to the offender. Visitors of such fake websites will not be informed of the falsification and probably will download malicious software. To perform such attacks, the attacker forces the targeted DNS server to make a request on any of the domains for which the attacker's DNS server is a trusted one.
One known approach for dealing with network attacks involves gathering statistics of some network traffic parameters and to detect various known types of attacks such as port scanning Attacks are detected based on network traffic parameter analysis rules and command boxes of network packets. Certain systems of this type use Bayes's networks for early notification on the upcoming attack and for preventive security measures.
Although such an approach is may be able to give early warnings about the beginning of an attack on a network, it involves gathering statistics of actual network usage, which means that the system is capable only of countering known types of attacks or mitigating the consequences of a current attack that is already underway. One drawback in this approach is an inability to respond immediately (i.e. before sufficient statistics are gathered to detect the attack). In the case of an attack intended to steal account information, for example, the attack attempt should ideally be prevented before the actual leak of user account information.
Accordingly, a solution is needed that avoids some of the drawbacks described above, and that is preferably capable of addressing other needs as well.